1. Field of the Invention
This invention relates to computer systems, and more particularly, to computer systems having multiple users and multiple data files.
2. Description of the Prior Art
Computer systems are more efficiently operated when there are multiple users, and file storage devices are more efficiently used when many users share storage space on the same physical device. Each user then has the potential for accessing files belonging to other users. Free access is not generally permissable since files may contain programs or data of sensitive nature.
Virtually all computer systems provide means for protecting sensitive files against access by users legitimately present in the computer system but not authorized to use all files. Hardware or software control mechanisms are provided to decide at the time of a user request for file access whether access permission is to be granted or denied. In general the information necessary for this decision are (1) file identity (2) user identity and (3) access purpose.
Computer systems have been designed which include elaborate lists identifying which users are permitted to access which files for which purposes. The result is a complex internal bookeeping task. As users share programs and data, the lists of permitted functions must be interchanged. See the article "Dynamic Protection Structures" by B. W. Lampson, AFIPS Fall Joint Computer Conference, 1969, pp. 27-38. The scheme described by Lampson solves the access permission problem in a general way, but the result is so complex that it has not found wide acceptance in the computer field.
This improvement is addressed to the simpler schemes which are in wide use. Each user of the computer system is preassigned an identification number (user ID). Whenever a user creates a file by reserving file space for his own use, his user ID is stored along with the file to identify the file owner (owner ID). In creating the file, the owner also specifies certain permissions which are to be granted or denied to himself as owner, and to everyone else as nonowners. Generally, these permissions are for reading and for writing the file. This information may be contained in as few as four binary digits or "permission bits," a modest addition to each stored file. Also, in systems having a common format for files containing programs and files containing data, it is usual to have permission information to indicate that the file contents may or may not be loaded into the computer and executed as a program. This may comprise an additional execute permission bit, or an additional two bits, separate permissions for owners and nonowners.
The described scheme takes into account file identity because access control information is stored in association with each file individually. User identity is taken into account in a gross but useful distinction between owner and nonowner. Access purpose is also a factor because of the coarse selection between reading, writing and execution permissions.
A shortcoming with this scheme is its lack of ability to include fine distinctions of access purpose. Consider, for example, the problem of accessing a computer time usage accounting data file. Such a file is used by computer time accounting programs to store elapsed time of computer usage by the various users of the system. The accounting programs and the accounting files are owned by the same user who has permission to read and write the accounting file to permit regular updates. Suppose now that it is desired to permit each user to read from the accounting file the information associated with that user's own computer usage. This is certainly a legitimate access purpose so long as the user does not attempt to read other accounting information which is considered private as far as he is concerned.
Under the described scheme there is no simple way to permit this kind of special purpose data file access. A general user wishing to read the accounting file cannot do so directly because he will not have nonowner permission to read. He cannot execute the general accounting programs to read for him and return the information because he will not have nonowner permission to execute the general accounting programs. Such permissions must generally be denied to nonowners to assure privacy of the accounting file contents. This problem is further described in the article "MOO in Multics" by J. M. Grochow, Software - Practice and Experience, Vol. 2, pp. 303-308 (1972).